Using CloudFlare and WordPress: Five Easy First Steps

    很多人使用國外的虛擬主機來架wordpress。

這一篇官方文章很實用，可以幫你把該設定的設定好。




廢話不多說，請看：

文章來源：https://support.cloudflare.com/hc/en-us/articles/201717894-Using-CloudFlare-and-WordPress-Five-Easy-First-Steps

With tens of millions of sites on the internet using Wordpress, many WordPress sites have decided to use CloudFlare to make their site faster with our free CDN and to make the site more secure with our security. Since we get a lot of questions about WordPress online and in our support channel,  as well as a lot of common areas of confusion, we’ll cover recommended first steps in an easy to read article. All of these steps take very little time to do complete, and any WordPress user should be able to do most of the steps in a few minutes or less.

Basic steps recommended for all CloudFlare WordPress users

Step #1

Install the CloudFlare WordPress plugin to restore visitor IP. Since CloudFlare acts as a proxy for sites, CloudFlare’s IPs are going to show in your logs, including comments, unless you install something to restore the original visitor IP.

Why should you install the plugin?

If you receive a lot of comments or spam on your blog, you may mistakenly believe that CloudFlare is spamming you. Some other security plugins you use may also rely on the original visitor IP for the security services to work properly and reduce false alerts.

Note: Users using W3 Total Cache (W3TC) can achieve this same function by entering in the fields. You also don’t need to worry about this if you activated through a hosting partner, since they already have mod_cloudflare added to their servers by default.

Step #2

Create a Page Rule to exclude the wp-admin or wp-login sections from CloudFlare’s caching and performance features. You can access PageRules in your CloudFlare 'Settings' options.

e.g.

*example.com/wp-admin/*
*example.com/wp-login/*

Why do this?

While there is not always an issue, we have seen instances where optional performance features like Rocket Loader may inadvertently break certain functions (editors, etc.) in your WordPress back end.

Step #3

Login to your CloudFlare Threat Control panel and whitelistist IP addresses you want traffic from or expect traffic from. Some common services you probably want to whitelist include:

• APIs you’re pulling from
• Monitoring services you use to monitor your site's uptime
• Security services
• IP addresses you frequently login from

Why do this?

If CloudFlare has an IP address with a high threat score going to your site, or if you have CloudFlare's Web Application Firewall turned on, you may get challenged working in your back end and/or services you want to access your site may get challenged. Taking the steps to whitelist in the beginning will help prevent future surprises on your site.

Note: We whitelist all known search engine and social media crawlers in our macro list. If you decide to block countries in Threat Control, please use care because you may end up inadvertently blocking their crawlers (blocking the USA, for example, could mean that their crawler gets challenged).

Step #4

Review your basic security settings

If you have a blog that is frequently the target of spam attacks or botnet attacks, changing your security level to a higher setting will help further reduce the amount of spam you get on your site. We default all users to a medium setting when they first add the domain to CloudFlare.

Why do this?

If you want your site to have less security and protection from various attacks, then you would want to change your settings to a lower level (please keep in mind this makes your site more vulnerable). If you want your site to have higher security, please keep in mind that you may get more false positives from visitors complaining about a challenge page that they have to pass to enter your site.

Step #5

If you are using services like .htaccess, firewalls or server mods to manage access to your site from visitors, it is vitally important to make sure requests from CloudFlare’s IP ranges are not being blocked or limited in any way. The number one cause of site offline issues in our support channel is something blocking or restricting requests from our IPs, so please take the time to make sure that all of CloudFlare’s IPs are whitelisted on your server.

Why do this?

Prevent false offline messages from appearing on your site to your visitors.

----------------------------------------------------------------------------------

關於Step 2： page rule

你也可以參考以下文章：http://samantw.com/cloudflare-cache-bypass-wordpress/

[網站] Cloudflare 快取設定，避免 WordPress 的「wp-admin/」被快取而造成資安漏洞！